Zero-day attacks thrive in 2006

By on
Zero-day attacks thrive in 2006

Online attackers are increasingly using zero-day flaws and targeting a wider array of applications, according to the annual Top 20 Security Attack Targets report from the Sans Institute.

Zero-day exploits target undisclosed or recently discovered vulnerabilities which have yet to be patched.

The attacks are often not detected by security software, and can be much more effective in compromising systems and installing malware.

Although Microsoft's Internet Explorer is still a favourite target, attackers are increasingly switching to other applications.

The Sans Institute reported a threefold increase in the number of attacks targeting Microsoft Office in 2006.

The organisation spotted 45 vulnerabilities in Office classified as either 'serious' or 'critical', nine of which were also reported as active zero-day exploits.

Excel and PowerPoint experienced sharp increases in the number of reported vulnerabilities.

Sans attributed this in part to the prevalence of Office and the fact that the suite does not have as much security protection as programs such as web browsers.

The report also pointed to a rise in attacks against two emerging technologies: VoIP and web-based applications.

Internet telephony has become a money making venture for cyber-criminals over the past year. Attackers have taken to breaking in to VoIP networks and reselling stolen minutes to unsuspecting consumers.

Sans also suggested that compromised VoIP systems could be used as a launch pad for denial of service attacks against the conventional land-line phone system.

Web-based applications such as e-commerce and online banking sites were another popular target. As such sites expose enterprise databases to the web, attackers can easily use the sites to access confidential information.

The report also attributed millions of cases of stolen credit card numbers to so-called SQL injection and cross-site scripting attacks.

SQL-injection involves entering specially crafted code into an online application in order to gain access to its database. In a cross-site scripting attack, online criminals run hidden code in a user's browser window.

Sans said that an internal testing project found that 40 per cent of the web applications it checked were vulnerable to SQL injection and 80 per cent were vulnerable to cross-site scripting attacks.
Copyright ©
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?